privacy and security tiger team
DESCRIPTION
Privacy and Security Tiger Team. Recommendations on Policy “Sandbox” for ONC’s Query Health Project October 12, 2011. Tiger Team Members. Deven McGraw, Chair , Center for Democracy & Technology Paul Egerman , Co-Chair Dixie Baker , SAIC Neil Calman , Institute for Family Health - PowerPoint PPT PresentationTRANSCRIPT
Privacy and Security Tiger Team
Recommendations on Policy “Sandbox” for ONC’s Query Health Project October 12, 2011
Tiger Team Members• Deven McGraw, Chair, Center for Democracy & Technology • Paul Egerman, Co-Chair • Dixie Baker, SAIC • Neil Calman, Institute for Family Health • Carol Diamond, Markle Foundation • Judy Faulkner, EPIC Systems Corp. • Leslie Francis, University of Utah; NCVHS• Gayle Harrell, Consumer Representative/Florida • John Houston, University of Pittsburgh Medical Center• Alice Leiter, National Partnership for Women & Families • David McCallie, Cerner Corp. • Wes Rishel, Gartner • Latanya Sweeney, Carnegie Mellon University • Micky Tripathi, Massachusetts eHealth Collaborative • Dan Callahan, Social Security Administration
• Joy Pritts, ONC• Judy Sparrow, ONC
2
Goal of Today’s Discussion
• Present recommendations on overarching policies for ONC’s QueryHealth program
3
QueryHealth
• Description of project provided at last Policy Committee meeting by Rich Elmore of ONC.
• We won’t repeat this presentation, but relevant facts for our discussion include:
– Model is to bring the questions to the data, not collect the data centrally to answer the question: data holder retains control of raw data and performs analysis, reporting back aggregate or de-identified results.
– Initial set of queries will be developed by QueryHealth Clinical Workgroup, but data holders will decide whether or not they want to participate in a particular query.
4
QueryHealth Proposed Policies• Disclosing Entity (data holder): Whether or not to run a particular
query, and to release any results, will be under the control of the disclosing entity/data holder.
Tiger Team Recommendation:
1. The Tiger Team recommends the Policy Committee endorse this policy. It is consistent with the core value that patients trust their providers with respect to the privacy and security of health information; it is also consistent with our most recent recommendations on secondary uses of EHR data, which called for provider entities to be accountable for all access, use and disclosure of health information from their EHRs, including for secondary purposes.
5
QueryHealth Proposed Policies• Data Exchange: Data being exchanged by a disclosing entity/data
holder will be either (1) mock or test data; (2) aggregate de-identified data sets or aggregated limited data sets, each with data use agreements (even in circumstances where they are not required by law), or (3) a public health permitted use under state or federal law (which may be identifiable information where permitted by law).
Tiger Team’s Recommendations (4):
2. The Tiger Team agrees that the data being exchanged should either be de-identified or aggregated limited data set, with a data use agreement in place even for de-identified data. The data use agreement should, at a minimum, restrict the use of the data to facilitating QueryHealth and prohibit the recipient from re-identifying the data.
6
QueryHealth Proposed Policies
Tiger Team Recommendations on Data Exchange (cont.):
3. During the initial pilot phase of QueryHealth, ONC should implement clear policies restricting the data recipient from using information shared for QueryHealth for purposes other than to address the query that the disclosing entity/data holder has agreed to address.
4. This should be part of the data use agreement, but as QueryHealth scales beyond the pilot phase, ONC should consider the need for a governance structure that can enforce compliance with data use agreements and other policies. ONC should also use the experience of the pilots to help inform the type of governance that may be needed for oversight of QueryHealth in the future.
7
QueryHealth Proposed Policies
Tiger Team Recommendations on Data Exchange (cont.):
5. Although HIPAA allows identifiable data to be disclosed for public health purposes, not all public health activities require identifiable data. QueryHealth policy should be that disclosures are in the least identifiable form necessary to address the particular secondary data use query (i.e, consistent with the HIPAA minimum necessary standard). In other words, data disclosed in respnse to queries for public health purposes should also be a limited data set or de-identified unless greater identifiable of data is specifically needed.
8
QueryHealth Proposed Policies
• Small cells: For other than regulated/permitted use purposes, cells with less than 5 observations in a cell shall be blurred by methods that reduce the accuracy of the information provided. (The CDC-CSTE Intergovernmental Data Release Guidelines Working Group has recommended limiting cell size to three counts presuming a sufficiently large population; this is also reflected in guidelines used by several states.)
Tiger Team Recommendation:6. The Tiger Team agrees with this policy as a method of
reducing the risk of identifiability of the data and recommends that the Policy Committee endorse it.
9